It was recently reported that Google was planning to move the personal data of its UK users out of the EU and into the US. Several outlets reporting on this story have suggested that this would mean that, as Britain has left the EU, the data would no longer be covered by the EU’s world-leading data protection law, the GDPR.
If this were the case, it would make it much harder to access personal data Google holds on you or to work out how, why and for what purposes the data was being used. It would also make it more difficult to make Google correct or delete that data and Google would be able to process your data free from the conditions currently imposed by the GDPR. But this representation of the situation is misleading.
The key message of the UK government has always been that the substance of the GDPR, if not the GDPR itself, will continue to apply in the UK after Brexit. In fact, the main tenets of the GDPR have already been enshrined into UK law with the Data Protection Act 2018.
This legislation will continue to be enforced in its current form by the UK’s data regulator, the Information Commissioner’s Office (ICO), until the end of the Brexit transition period on Dec 31 2020. To all intents and purposes, the UK will still be treated as if it were a part of the EU until this time. That means data processing activities involving UK citizens will still be subject to EU regulatory and judicial bodies (such as the European Court of Justice).
After the transition period elapses, the Data Protection, Privacy, and Electronic Communications Regulations 2019 will come into force and introduce a new “UK GDPR”, which will replicate the majority of the EU GDPR’s substantive features.
So the protections of the GDPR are unlikely to disappear from UK law any time soon, and Google will be required to comply with its substantive provisions. Claims that Google will be able to use UK citizens’ data completely free from GDPR requirements are, for now at least, overblown and hyperbolic.
However, the UK will be able to amend data protection rules set out under the UK GDPR, as it can with any other national legislation. In theory, this will include the ability to establish lower data protection standards than are currently demanded by the EU, including those related to international data transfers.
The EU GDPR currently bans data transfers to non-EU countries that do not provide adequate levels of data protection. Although the US and the EU do have a data transfer agreement, it is being challenged by privacy and data protection interest groups who think US data protection law isn’t strong enough. In particular, they are worried that transferred data could be caught up in the US government’s mass surveillance initiatives.
Another practical change is that enforcing data protection law in the UK will be entirely up to the ICO. And it is perhaps doubtful that this regulator will be as effective as the might of European data protection authorities, backed by the European Court of Justice.
Will other firms follow suit?
Tech firms often view data protection law as a bureaucratic hindrance to their business models. For these sorts of companies, the fewer rules and conditions attached to the processing of their users’ data, the better. If Google moves UK user data from Ireland to the US then, for the reasons explained above, the data could eventually be subject to lower standards and levels of enforcement.
This means there is an obvious and clear incentive for Google to make this shift. In many ways it would be foolish for them not to. And it is probably only a matter of time before we see other tech firms doing the same.
However, it all depends on what the UK actually does after the Brexit transition period. The government may set lower data protection standards, perhaps as a condition of a potential trade deal with the US. But if the standards fall below what the EU deems adequate then it could ban data transfers to the UK, which would be hugely disruptive for many companies with operations in the UK.
On the other hand, there is nothing to stop the UK from adopting higher standards than those of the EU. Given the lack of political interest in matters of data protection, this is perhaps unlikely.
At this point, it is too early to say what is likely to happen in the long term. We simply have to wait and see. But for now, the protections established by the GDPR will play a significant role. Google won’t just be able to do whatever it likes with your data.